Эхлэл Бүгдийг харах Тусламж
Нэвтрэх
golang
/
netmaker
-ын хуулбар https://github.com/gravitl/netmaker
2
0
Салаа 0
Файлууд Асуудлууд 0 Мэдлэгийн сан
Эх сурвалжийг харах

optimise firewall rules

abhishek9686 7 сар өмнө
parent
61bf479e50
commit
fabc9f2920
2 өөрчлөгдсөн 32 нэмэгдсэн , 2 устгасан
Өөрчлөллтийг нэгтгэж харах Өөрчлөлтийн статистик харах
  1. 31 0
      logic/acls.go
  2. 1 2
      logic/peers.go

+ 31 - 0
logic/acls.go
Файл харах 

@@ -656,6 +656,7 @@ func checkTagGroupPolicy(srcMap, dstMap map[string]struct{}, node, peer models.N
 
 			return true
 
 			return true
 
 		}
 
 		}
 
 	}
 
 	}
 
+
 
 	for tagID := range node.Tags {
 
 	for tagID := range node.Tags {
 
 		if _, ok := dstMap[tagID.String()]; ok {
 
 		if _, ok := dstMap[tagID.String()]; ok {
 
 			if _, ok := srcMap["*"]; ok {
 
 			if _, ok := srcMap["*"]; ok {
 
@@ -990,6 +991,36 @@ func getUserAclRulesForNode(targetnode *models.Node,
 
 	return rules
 
 	return rules
 
 }
 
 }
 
 
 
+func checkIfAnyPolicyisUniDirectional(targetNode models.Node) bool {
 
+	targetNode.Tags[models.TagID(targetNode.ID.String())] = struct{}{}
 
+	acls := listDevicePolicies(models.NetworkID(targetNode.Network))
 
+	for _, acl := range acls {
 
+		if !acl.Enabled {
 
+			continue
 
+		}
 
+		if acl.AllowedDirection == models.TrafficDirectionBi {
 
+			continue
 
+		}
 
+		srcTags := convAclTagToValueMap(acl.Src)
 
+		dstTags := convAclTagToValueMap(acl.Dst)
 
+		for nodeTag := range targetNode.Tags {
 
+			if _, ok := srcTags[nodeTag.String()]; ok {
 
+				return true
 
+			}
 
+			if _, ok := srcTags[targetNode.ID.String()]; ok {
 
+				return true
 
+			}
 
+			if _, ok := dstTags[nodeTag.String()]; ok {
 
+				return true
 
+			}
 
+			if _, ok := dstTags[targetNode.ID.String()]; ok {
 
+				return true
 
+			}
 
+		}
 
+	}
 
+	return false
 
+}
 
+
 
 func GetAclRulesForNode(targetnodeI *models.Node) (rules map[string]models.AclRule) {
 
 func GetAclRulesForNode(targetnodeI *models.Node) (rules map[string]models.AclRule) {
 
 	targetnode := *targetnodeI
 
 	targetnode := *targetnodeI
 
 	targetnode.Tags[models.TagID(targetnode.ID.String())] = struct{}{}
 
 	targetnode.Tags[models.TagID(targetnode.ID.String())] = struct{}{}

+ 1 - 2
logic/peers.go
Файл харах 

@@ -177,14 +177,13 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 
 		defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
 
 		defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
 
 		defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
 
 		defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
 
 
 
-		if defaultDevicePolicy.Enabled && defaultUserPolicy.Enabled {
 
+		if (defaultDevicePolicy.Enabled && defaultUserPolicy.Enabled) || !checkIfAnyPolicyisUniDirectional(node) {
 
 			if node.NetworkRange.IP != nil {
 
 			if node.NetworkRange.IP != nil {
 
 				hostPeerUpdate.FwUpdate.AllowedNetworks = append(hostPeerUpdate.FwUpdate.AllowedNetworks, node.NetworkRange)
 
 				hostPeerUpdate.FwUpdate.AllowedNetworks = append(hostPeerUpdate.FwUpdate.AllowedNetworks, node.NetworkRange)
 
 			}
 
 			}
 
 			if node.NetworkRange6.IP != nil {
 
 			if node.NetworkRange6.IP != nil {
 
 				hostPeerUpdate.FwUpdate.AllowedNetworks = append(hostPeerUpdate.FwUpdate.AllowedNetworks, node.NetworkRange6)
 
 				hostPeerUpdate.FwUpdate.AllowedNetworks = append(hostPeerUpdate.FwUpdate.AllowedNetworks, node.NetworkRange6)
 
 			}
 
 			}
 
-
 
 		} else {
 
 		} else {
 
 			hostPeerUpdate.FwUpdate.AllowAll = false
 
 			hostPeerUpdate.FwUpdate.AllowAll = false
 
 			rules := GetAclRulesForNode(&node)
 
 			rules := GetAclRulesForNode(&node)